c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe
Size

53KB
MD5

b4cdc0b6c35c0316d064a56ddb1b1c40
SHA1

309f8d75c7b64703909868b7d7802cf57cc57b45
SHA256

c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581
SHA512

957e92fa97358b455fd4e321fcf2981a087f87ddccc044597b47ee3bc911787865d5daf1dfb0d084f94c29b638f49ce6b40bfb8852e79d5ffd03462f7b6d62f6
SSDEEP

768:81U+8awSaWRDapppWwaMRHoUj+hkoYPVw9OvSBKfsnrz50xM0UEZHBtBdTiada+H:81ZnZw/w1y86Wz5IUEZDL24kZFc1

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	276	WMIC.exe
Token: SeSecurityPrivilege	276	WMIC.exe
Token: SeTakeOwnershipPrivilege	276	WMIC.exe
Token: SeLoadDriverPrivilege	276	WMIC.exe
Token: SeSystemProfilePrivilege	276	WMIC.exe
Token: SeSystemtimePrivilege	276	WMIC.exe
Token: SeProfSingleProcessPrivilege	276	WMIC.exe
Token: SeIncBasePriorityPrivilege	276	WMIC.exe
Token: SeCreatePagefilePrivilege	276	WMIC.exe
Token: SeBackupPrivilege	276	WMIC.exe
Token: SeRestorePrivilege	276	WMIC.exe
Token: SeShutdownPrivilege	276	WMIC.exe
Token: SeDebugPrivilege	276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	276	WMIC.exe
Token: SeRemoteShutdownPrivilege	276	WMIC.exe
Token: SeUndockPrivilege	276	WMIC.exe
Token: SeManageVolumePrivilege	276	WMIC.exe
Token: 33	276	WMIC.exe
Token: 34	276	WMIC.exe
Token: 35	276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	276	WMIC.exe
Token: SeSecurityPrivilege	276	WMIC.exe
Token: SeTakeOwnershipPrivilege	276	WMIC.exe
Token: SeLoadDriverPrivilege	276	WMIC.exe
Token: SeSystemProfilePrivilege	276	WMIC.exe
Token: SeSystemtimePrivilege	276	WMIC.exe
Token: SeProfSingleProcessPrivilege	276	WMIC.exe
Token: SeIncBasePriorityPrivilege	276	WMIC.exe
Token: SeCreatePagefilePrivilege	276	WMIC.exe
Token: SeBackupPrivilege	276	WMIC.exe
Token: SeRestorePrivilege	276	WMIC.exe
Token: SeShutdownPrivilege	276	WMIC.exe
Token: SeDebugPrivilege	276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	276	WMIC.exe
Token: SeRemoteShutdownPrivilege	276	WMIC.exe
Token: SeUndockPrivilege	276	WMIC.exe
Token: SeManageVolumePrivilege	276	WMIC.exe
Token: 33	276	WMIC.exe
Token: 34	276	WMIC.exe
Token: 35	276	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2284	584	c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe	32
PID 584 wrote to memory of 2284	584	c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe	32
PID 584 wrote to memory of 2284	584	c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe	32
PID 2284 wrote to memory of 2632	2284	cmd.exe	33
PID 2284 wrote to memory of 2632	2284	cmd.exe	33
PID 2284 wrote to memory of 2632	2284	cmd.exe	33
PID 2284 wrote to memory of 276	2284	cmd.exe	34
PID 2284 wrote to memory of 276	2284	cmd.exe	34
PID 2284 wrote to memory of 276	2284	cmd.exe	34
PID 2284 wrote to memory of 2256	2284	cmd.exe	35
PID 2284 wrote to memory of 2256	2284	cmd.exe	35
PID 2284 wrote to memory of 2256	2284	cmd.exe	35
PID 2284 wrote to memory of 2656	2284	cmd.exe	37
PID 2284 wrote to memory of 2656	2284	cmd.exe	37
PID 2284 wrote to memory of 2656	2284	cmd.exe	37
PID 2284 wrote to memory of 2692	2284	cmd.exe	38
PID 2284 wrote to memory of 2692	2284	cmd.exe	38
PID 2284 wrote to memory of 2692	2284	cmd.exe	38
PID 2656 wrote to memory of 2708	2656	net.exe	39
PID 2656 wrote to memory of 2708	2656	net.exe	39
PID 2656 wrote to memory of 2708	2656	net.exe	39
PID 2284 wrote to memory of 2812	2284	cmd.exe	40
PID 2284 wrote to memory of 2812	2284	cmd.exe	40
PID 2284 wrote to memory of 2812	2284	cmd.exe	40
PID 2284 wrote to memory of 2944	2284	cmd.exe	41
PID 2284 wrote to memory of 2944	2284	cmd.exe	41
PID 2284 wrote to memory of 2944	2284	cmd.exe	41
PID 2812 wrote to memory of 2660	2812	net.exe	42
PID 2812 wrote to memory of 2660	2812	net.exe	42
PID 2812 wrote to memory of 2660	2812	net.exe	42
PID 2284 wrote to memory of 2684	2284	cmd.exe	43
PID 2284 wrote to memory of 2684	2284	cmd.exe	43
PID 2284 wrote to memory of 2684	2284	cmd.exe	43
PID 2284 wrote to memory of 2556	2284	cmd.exe	44
PID 2284 wrote to memory of 2556	2284	cmd.exe	44
PID 2284 wrote to memory of 2556	2284	cmd.exe	44
PID 2684 wrote to memory of 2224	2684	net.exe	45
PID 2684 wrote to memory of 2224	2684	net.exe	45
PID 2684 wrote to memory of 2224	2684	net.exe	45
PID 2284 wrote to memory of 2772	2284	cmd.exe	46
PID 2284 wrote to memory of 2772	2284	cmd.exe	46
PID 2284 wrote to memory of 2772	2284	cmd.exe	46
PID 2284 wrote to memory of 2572	2284	cmd.exe	47
PID 2284 wrote to memory of 2572	2284	cmd.exe	47
PID 2284 wrote to memory of 2572	2284	cmd.exe	47
PID 2772 wrote to memory of 2688	2772	net.exe	48
PID 2772 wrote to memory of 2688	2772	net.exe	48
PID 2772 wrote to memory of 2688	2772	net.exe	48

C:\Users\Admin\AppData\Local\Temp\c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe
"C:\Users\Admin\AppData\Local\Temp\c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\D865.tmp\password.bat" C:\Users\Admin\AppData\Local\Temp\c0a1c2e12875e25454ed903f70af08d78d4d1668a9754ada2f11e555bec02581N.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:2632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic useraccount get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\system32\findstr.exe
    findstr -v Name
    3⤵
    PID:2256
- - C:\Windows\system32\net.exe
    net user Admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin
      4⤵
      PID:2708
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:2692
- - C:\Windows\system32\net.exe
    net user Administrator
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator
      4⤵
      PID:2660
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:2944
- - C:\Windows\system32\net.exe
    net user Guest
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Guest
      4⤵
      PID:2224
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:2556
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2688
- - C:\Windows\system32\findstr.exe
    findstr Password
    3⤵
    PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D865.tmp\password.bat

Filesize
387B

MD5
5e4b4f1d6d501f3445d7b46d870ccc44

SHA1
116ac1b4bf93a803231d86a94521eb8a0b49af57

SHA256
cc7b990a2c81aedfab269ae6aef0c369940b238374c7f8cca219336df467d55b

SHA512
27a975d6ebf5c8657dc2916a3966a4aaf3c5f5162eb89085a2836129aa5f9de8e4bcc13123518a054e65513f36320f3357b8a941db283e9ac9a6ed19cb88b344

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads